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INTRODUCTION 


The Network Advertising Initiative (“NAI”) is the leading self-regulatory body governing “third parties” in 

the online advertising ecosystem. The NAI is currently composed of more than 90 member companies and 
expanding. Since 2000, the NAI has imposed self-regulatory standards that establish and reward responsible 
business and data management practices with respect to the collection and use of data for Interest-Based 
Advertising and related practices. The NAI Code, first adopted in 2000, updated in 2008, and updated again 
with this revision in 2013, imposes notice, transparency, choice, and data security requirements on NAI member 
companies. Members are held to the promises they make to adhere to the NAI Code through a rigorous com- 
pliance and enforcement program that includes annual reviews, ongoing technical monitoring, mechanisms for 
accepting and investigating complaints of non-compliance, and sanction procedures. The NAI believes that, 
like a successful privacy program, effective self-regulatory programs must constantly evolve to take into account 
changes in business models, technologies, and public policy. The NAI strives to stay abreast of all such changes 
and ensure that the substantive obligations imposed on member companies reflect the current landscape. To 
that end, in 2012, the NAI convened a working group composed of dozens of member companies. That group, 
NAI staff, and the NAI Board of Directors evaluated the current advertising ecosystem, convening numerous 
conference calls to discuss such topics as: (1) changes in the ecosystem that the Code should address; (2) notice 
requirements; (3) choice requirements; and (4) prohibited uses of data collected for Interest-Based Advertising. 
From that work, the NAI developed a draft code of conduct, which it put out for public comment in March 
2013. The NAI incorporated the comments it received into this final 2013 NAI Code of Conduct. 


Purpose of this Revised Code 


With this 2013 update to its Code of Conduct, the NAI seeks to accomplish several goals. First, the NAI wants 
to ensure that NAI member companies continue to implement, honor, and maintain strong standards with 
respect to the collection and use of data for online advertising. The NAI recognizes the unique role that NAI 
members play in the Internet ecosystem. While our members are responsible for driving much of the revenue 
that allows web publishers and other “first parties” to provide the content and services that users enjoy for 
free, they also present unique concerns for some precisely because they lack a direct relationship with users. 
Even though NAI member companies primarily collect and use only non-personally identifiable information, 
we believe that the NAI must impose rigorous education, notice, and choice requirements. And, as noted 
above, we believe we must continue to adapt those requirements to ensure that our self-regulatory framework 
remains relevant and meaningful. 


Second, the “third party” online advertising ecosystem has expanded and become more complex since the 
NAI last updated its Code of Conduct in 2008. At its inception in 2000 and into 2008, the NAI was composed 
primarily of “ad networks” that collected data across a network of websites for the purpose of serving ads based 
upon users’ presumed interests. Today, NAl membership is still composed entirely of “third parties” (or, in the 
case of some member companies, with the parts of the businesses that collect data as a “third party”), but the 
variety of business models is substantially more varied. NAl members today include not only ad networks, but 
also demand side platforms (DSPs), supply side platforms (SSPs), data management platforms (DMPs), data 
aggregators, ad exchanges, creative optimization firms, yield optimization firms, sharing utilities, and others. 
The NAI wants to ensure that it can welcome all companies in the ad technology space, and that its Code of 
Conduct is flexible enough to accommodate both existing and emerging business models and practices. 


Finally, since the NAI last updated its Code of Conduct in late 2008, there have been significant changes in 
the regulatory and self-regulatory landscape surrounding online advertising. Shortly after the NAI released its 
2008 Code of Conduct, the FTC in February 2009 released a Staff Report setting forth a set of Self-Regulatory 
Principles for Online Behavioral Advertising. Those principles are substantially similar to the NAI Code, and 
the NAI had informally adopted those principles through its compliance program. Nevertheless, the FTC's 
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OBA Principles — and the “enhanced notice” requirement in particular — have not until this time been formally 
codified by the NAI. In addition, also since the NAI last updated its Code of Conduct, the Digital Advertising 
Alliance (DAA) adopted, and has since begun enforcing, principles governing the collection and use of data 
for Online Behavioral Advertising (OBA). The DAA has also adopted the “AdChoices” standard industry icon, 
which is designed to inform users where ads are targeted to their interests. That icon, which is served trillions 
of times a month, is now an important component of self-regulation of online behavioral advertising practices. 


Scope of the NAI Code 


The NAI Code governs only NAI member companies. It does not govern all data collection by member 
companies, but is limited to their “Interest-Based Advertising” and “Ad Delivery and Reporting” activities as 
defined in this Code. The Code does not govern member companies’ activities insofar as they are acting as 
first parties or solely on behalf of a single first party. For example, a company collecting and using data on a 
single domain or set of affiliated domains for the purpose of conducting analytics would not be covered by 
the Code so long as the data was not combined with data obtained on non-affiliated websites or sold for use 
on non-affiliate websites. To the extent a company collected data across non-affiliated websites, either for the 
purpose of engaging in Interest-Based Advertising or for Ad Delivery and Reporting across multiple websites, 
that activity would be governed by the NAI Code. 


As of today, the NAI Code applies to members’ Interest-Based Advertising and Ad Delivery and Reporting 
Activities that: (1) occur in the United States or (2) apply to U.S. users. We encourage NAI members to apply 
the high standards of the NAI Code to these activities globally (and many member companies do so), but only 
U.S.-based online advertising activities are subject to the NAI compliance program today. Member companies 
are, of course, expected to abide by the laws applicable to their businesses. The NAI Code generally goes 
above the requirements of applicable laws. However, to the extent there is a conflict between the NAI Code 
and a member's obligations under applicable law, the member should abide by the applicable law. 


While NAI members currently use cookies, javascript, and pixels for the activities governed by the NAI, 
the Code is intended to be neutral with respect to the technologies used for Interest-Based Advertising. 
As Interest-Based Advertising models expand beyond traditional desktop web browsing to mobile 
devices and tablets where cookies are ineffective, companies may use other technologies to collect data 
and target ads. The NAI anticipates that such technologies, properly implemented, will also provide users 
an appropriate degree of transparency and control, and the principles contained herein are intended to 
apply regardless of the technology used.! 


Relationship to the DAA’s OBA and Multi-Site Data Principles 


As noted above, the Digital Advertising Alliance has developed and enforces, through the Better Business 
Bureau (BBB) and the Direct Marketing Association (DMA), a set of Principles governing the collection and 
use of data for OBA, as well as a set of Principles governing the collection of data across unaffiliated websites 
more generally.2 The DAA is composed of six trade associations representing website publishers, advertisers, 
offline data providers, and the “third parties” represented by the NAI. As a result, its Principles for OBA and 
for Multi-Site Data collection govern the entire Internet ecosystem and impose obligations not only on third 
parties, but also on website publishers. 


1 The NAI Code is not intended to govern member companies’ collection and use of data on mobile applications. It is, however, 
intended to establish baseline standards from which mobile application-specific guidelines can be developed. The NAI is releasing in 
a separate document guidelines that specify the notice, choice, and other protections required of companies collecting and using data 
from mobile applications for Interest-Based Advertising and Ad Delivery and Reporting. 


2 See Digital Advertising Alliance, Self-Regulatory Principles for Online Behavioral Advertising (DAA OBA Principles), available at 
http://www.aboutads.info/obaprinciples; see also Digital Advertising Alliance, Self-Regulatory Principles for Multi-Site Data (DAA Multi- 
Site Data Principles), available at http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf. 
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Because NAI member companies are bound both by the DAAs Principles and by the NAI Code, this Code 
largely harmonizes with the DAAs Principles as they apply to the OBA and Ad Delivery and Reporting by 

NAI member companies. Thus, for example, the Code imposes an “enhanced” notice requirement for ads 
informed by Interest-Based Advertising and also makes explicit the purposes for which member companies 
may not use, or allow the use of, data collected for advertising purposes (borrowing from the DAA’s Multi-Site 
Data Principles). As always, unlike the DAA's OBA Principles, the NAI Code applies only to NAI members,? 
and only to the extent they are engaged in activities addressed by the NAI Code. As a result, obligations 
applicable to other companies in the advertising ecosystem contained in the DAA Principles are not included 
in the NAI Code. Similarly, obligations imposed on third-party advertising companies are in some cases 
phrased differently in this Code than in the DAA Principles. 


In some instances, this Code (like the 2008 NAI Code) imposes obligations on member companies beyond 
those required by the current DAA OBA and Multi-Site Data Principles. Those obligations include: (1) 
heightened notice and consent requirements for the merger of PII with Non-PII collected and used for 
“Interest-Based Advertising” (as defined in the Code); (2) contractual notice requirements; (3) a requirement 
to provide transparency with respect to any health-related interest segments; (4) a requirement that the 
technologies used for Interest-Based Advertising provide users an appropriate degree of transparency and 
control; (5) data retention limits and disclosure obligations; (6) reliable sources requirements; (7) limitations on 
the transfer of data collected for online advertising activities; and (8) access requirements for PII and associated 
Non-PIll used for Interest-Based Advertising. These additional obligations ensure both consumers and 
companies that do business with third parties that NAl member companies implement, honor, and maintain 
the highest standards for data collection for online advertising — increasing trust across the entire ecosystem. 
Thus, the NAI Code complements and enhances the DAA Principles. 


Framework of the Code 


The fundamental principle underpinning this Code is that differing notice and choice obligations 
should apply depending on the sensitivity and the proposed use of the data. This basic principle, which 
has long been recognized by the NAI, is supported by the FTC Final Privacy Report and the White 
House Privacy Report,* both of which explicitly acknowledge that privacy protections should not be 
applied in a “one-size fits all” approach but should be flexible, scalable, and take into account the 
context in which the data is collected and used. 


To that end, this Code identifies three categories of data of varying levels of “identifiability” and 
imposes different obligations on NAI members based on the sensitivity of the data. These three 
categories are: (1) Personally Identifiable Information (PII); (2) Non-PIl; and (3) De-Identified Data. PII 
refers to data that is used or intended to be used to identify a particular individual; Non-PIl refers to 
data that is not linked or reasonably linkable to an individual, but is linked or reasonably linkable to a 
particular computer or device; and De-Identitied Data refers to data that is not linkable to either an 
individual or a device. In addition, this Code imposes obligations with respect to “Sensitive Data” and 
“Precise Geolocation Data.” Sensitive Data is defined to include specific types of PII that are sensitive 
in nature, as well as Non-Pll related to precise health information and sexual orientation. Precise 
Geolocation Data is a defined term under the Code. 


3 The NAI Code does promote some best practices for non-NAl member companies. For example, the NAI requires member 
companies to work with reliable sources and requires member companies to require their website partners to provide notice and choice 
on their sites. The NAI does not, however, impose any obligations on non-NAI member companies. 


4 Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and 
Policymakers (March 2012) (FTC Final Privacy Report), available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf; White House, 
Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital 
Economy (February 2012) (White House Privacy Report), available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf. 
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2013 NAI CODE OF CONDUCT 


Definitions 


A. 


INTEREST-BASED ADVERTISING 


Interest-Based Advertising means the collection of data across web domains owned or operated by 
different entities for the purpose of delivering advertising based on preferences or interests known 
or inferred from the data collected. 


AD DELIVERY AND REPORTING 

Ad Delivery and Reporting is separate and distinct from Interest-Based Advertising and means the 
logging of page views or the collection of other information about a computer or device for the 
purpose of delivering ads or providing advertising-related services, including but not limited to: 
providing a specific advertisement based on a particular type of browser or time of day; statistical 
reporting in connection with the activity on a website; analytics and analysis; optimization of location 
of ad placement; ad performance; reach and frequency metrics (e.g., frequency capping); security and 
fraud prevention; billing; and logging the number and type of ads served on a particular day to a 
particular website. 


PERSONALLY IDENTIFIABLE INFORMATION (PII) 


Personally Identifiable Information (PII) is any information used or intended to be used to identify a 
particular individual, including name, address, telephone number, email address, financial account 
number, and government-issued identifier. 


NON-PIl 


Non-PIl is data that is not PII as defined in the NAI Code, but that is linked or reasonably linkable to 
a particular computer or device. Non-PIl includes, but is not limited to, unique identifiers associated 
with users’ computers or devices and IP addresses, where such identifiers or IP addresses are not 
linked to PII. Non-PIl does not include De-Identified Data. 


DE-IDENTIFIED DATA 


De-Identified Data is data that is not linked or reasonably linkable to an individual or to a particular 
computer or device. 


PRECISE GEOLOCATION DATA 


Precise Geolocation Data is information that describes the precise real-time geographic location of an 
individual derived through any technology that is capable of determining with reasonable specificity 
the actual physical location of a person or device, such as GPS level latitude-longitude coordinates 

or Wi-Fi triangulation. 


SENSITIVE DATA 


Sensitive Data includes: 

e — Social Security Numbers or other government-issued identifiers; 

e — Insurance plan numbers; 

e — Financial account numbers; 

e Precise information about past, present, or potential future health or medical conditions or 
treatments, including genetic, genomic, and family medical history; and 

e Sexual orientation. 
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H. OPT-IN CONSENT 


Opt-In Consent means that a user takes some affirmative action that manifests the intent to opt in. 


l. OPT-OUT MECHANISM 


Opt-Out Mechanism is an easy-to-use mechanism by which users may exercise choice to disallow 
Interest-Based Advertising with respect to a particular browser or device. 


ll. Member Requirements 
A. EDUCATION 


1. 


Members shall collectively maintain an NAI website to serve as a centralized portal offering 
education about Interest-Based Advertising, the requirements of the NAI Code, and 
information about and centralized access to user choice mechanisms. 


Members shall use reasonable efforts, both individually and collectively, to educate 
users about Interest-Based Advertising, and the choices available to them with respect 
to Interest-Based Advertising. 


B. TRANSPARENCY AND NOTICE 


i 


Each member company shall provide clear, meaningful, and prominent notice on its website that 
describes its data collection, transfer, and use practices for Interest-Based Advertising and/or 
Ad Delivery and Reporting. Such notice shall include descriptions of the following, as applicable: 


a. The Interest-Based Advertising and/or Ad Delivery and Reporting activities undertaken 
by the member company; 


b. The types of data collected, including any PII collected or used for Interest-Based 
Advertising or Ad Delivery and Reporting purposes; 


c. How such data will be used, including transfer, if any, to a third party; 


d. A general description of the technologies used by the company for Interest-Based 
Advertising and Ad Delivery and Reporting; 


e. That the company is a member of the NAI and adheres to the NAI Code; 


f. The approximate length of time that data used for Interest-Based Advertising or 
Ad Delivery and Reporting will be retained by the member company; and 


g. An Opt-Out Mechanism. 


Members that use standard interest segments for Interest-Based Advertising that are based 
on health-related information or interests shall disclose such segments on their websites. 
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Members shall require the websites where they collect data for Interest-Based Advertising to 
clearly and conspicuously post notice that contains: 


a. Astatement of the fact that data may be collected for Interest-Based Advertising; 
b. Adescription of types of data that are collected for Interest-Based Advertising purposes; 


c. An explanation of how, and for what purpose, the data collected will be used or 
transferred to third parties; and 


d. A conspicuous link to an Opt-Out Mechanism. 


As part of members’ overall efforts to promote transparency in the marketplace, members should 
make reasonable efforts to enforce contractual notice requirements and to otherwise ensure that 
all websites where they collect data for Interest-Based Advertising purposes furnish notices 
comparable to those described above. 


Members shall provide, or support the provision of, notice of Interest-Based Advertising data 
collection and use practices and the choices available to users in or around advertisements that 
are informed by Interest-Based Advertising. 


C. USER CONTROL 


i; 


The level of choice that members must provide is commensurate with the sensitivity and 
intended use of the data. Specifically: 


a. Use of Non-PIl for Interest-Based Advertising shall require an Opt-Out Mechanism, 
which shall be available both on the NAI website and on the member's website. 


b. Use of PII to be merged with Non-Pll on a going-forward basis for Interest-Based 
Advertising purposes (prospective merger) shall require provision of an Opt-Out 
Mechanism accompanied by robust notice of such choice. 


c. Use of PII to be merged with previously collected Non-PIl for Interest-Based 
Advertising purposes (retrospective merger) shall require a user's Opt-In Consent. 


d. Use of Precise Geolocation Data for Interest-Based Advertising shall require 
a user's Opt-In Consent. 


e. Use of Sensitive Data for Interest-Based Advertising shall require a user's 
Opt-In Consent. 


When a user has opted out of Interest-Based Advertising, member companies must honor the 
user's choice as to the particular browser or device. Companies may continue to collect data for 
other purposes, including Ad Delivery and Reporting. 


The technologies that members use for Interest-Based Advertising purposes must provide users 
with an appropriate degree of transparency and control. 
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D. USE LIMITATIONS 


il 


Member companies shall not create Interest-Based Advertising segments specifically targeting 
children under 13 without obtaining verifiable parental consent. 


Members shall not use, or allow use of, data collected for Interest-Based Advertising or Ad 
Delivery and Reporting for any of the following purposes: 


a. Employment Eligibility; 

b. Credit Eligibility; 

c. Health Care Eligibility; or 

d. Insurance Eligibility and Underwriting and Pricing. 


Members who make a material change to their Interest-Based Advertising data collection and 
use policies and practices shall obtain Opt-In Consent before applying such change to data 
collected prior to the change. In the absence of Opt-In Consent, data collected prior to the 
material change in policy shall continue to be governed by the policy in effect at the time 

the information was collected. 


E. TRANSFER RESTRICTIONS 


ale 


Members shall contractually require that any unaffiliated parties to which they provide PII for 
Interest-Based Advertising or Ad Delivery and Reporting services adhere to applicable 
provisions of this Code. 


Members shall contractually require that all parties to whom they provide Non-PIl collected 
across web domains owned or operated by different entities not attempt to merge such 
Non-PIl with PII held by the receiving party or to re-identify the individual without obtaining 
the individual's Opt-In Consent. This requirement does not apply where the Non-PIl is 
proprietary data of the receiving party. 


F. DATA ACCESS, QUALITY, SECURITY, AND RETENTION 


1. 


Members shall provide users with reasonable access to PII, and other information that is 
associated with PII, retained by the member for Interest-Based Advertising purposes. 


Members shall conduct appropriate due diligence to ensure that they obtain data used 
for Interest-Based Advertising from reliable sources that provide users with appropriate 
levels of notice and choice. 


Members that collect, transfer, or store data for use in Interest-Based Advertising and/or 
Ad Delivery and Reporting shall provide reasonable security for that data. 


Members engaged in Interest-Based Advertising and/or Ad Delivery and Reporting shall retain 
Non-PIl and PII collected for these activities only as long as necessary to fulfill a legitimate 
business need, or as required by law. 
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lll. Accountability 
A. MEMBER OBLIGATIONS 


il 


2. 


The NAI Code is self-regulatory in nature and is binding on all members of the NAI. 


To help ensure compliance with the NAI Code, each member company should designate 
at least one individual with responsibility for managing the company’s compliance with 
the NAI Code and providing training to relevant staff within the company. 


Membership in the NAI requires public representations that a member company’s business 
practices are compliant with each aspect of the NAI Code that applies to its business model, 
as supplemented by applicable implementation guidelines that shall be adopted by the NAI 
Board from time to time. Such representations involve explicit acknowledgement of NAI 
membership and compliance with the Code in each member's publicly available privacy 
policy, and inclusion in a group listing of participating companies on a designated page 

of the NAI website. 


B. NAI OVERSIGHT 


il: 


Members are required to annually undergo reviews of their compliance with the NAI Code 
by NAI compliance staff or other NAI designee. Members shall fully cooperate with NAI 
compliance staff or NAI designee, including in the course of annual compliance reviews 
and any investigation of a potential violation of the NAI Code. 


The NAI’s policies and procedures for annual compliance reviews and compliance investigations 
may be updated from time to time, and these policies and procedures shall be made available 
on the NAI website. These policies and procedures shall not only describe the process 
undertaken for a compliance review, but shall also articulate the penalties that could be 
imposed for a finding of non-compliance, including referral of the matter to the U.S. 

Federal Trade Commission. 


The NAI shall annually post on its website a report summarizing the compliance of its 
members with the NAI Code and NAI policies, including any enforcement actions taken 
and a summary of complaints received. 


C. USER COMPLAINTS 


ils 


The NAI website shall include a centralized mechanism to receive user questions or 
complaints relating to members’ compliance with this Code. 


Each member shall provide a mechanism by which users can submit questions or concerns 
about the company’s collection and use of data for Interest-Based Advertising, and shall 
make reasonable efforts to timely respond to and resolve questions and concerns that 
implicate the company’s compliance with the NAI Code and NAI policies. 
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COMMENTARY ON 2013 NAI CODE OF CONDUCT 


The purpose of the commentary is not to add substantive obligations on member companies or to alter the 
principles set forth in the Code itself, but to explain the intent behind certain provisions of the Code. The 
commentary is also intended to provide examples of ways member companies can meet the substantive 
obligations of the Code. 


l. Definitions 
INTEREST-BASED ADVERTISING 


Interest-Based Advertising is defined as the collection of data across web domains owned or operated 

by different entities for the purpose of delivering advertising based on preferences or interests known 

or inferred from the data collected. Consistent with the DAAs OBA Principles and the FTC's definition of 
Online Behavioral Advertising, the definition of Interest-Based Advertising does not include “contextual 
advertising,” in which the ad selected depends upon the content of the page on which it is served, or “first 
party” marketing, in which ads are customized or products are suggested based on the content of the page or 
users’ activity on the page (including the content they view or the searches they perform).° To the extent NAI 
member companies are engaged in such activities, those activities are outside of the scope of the NAI Code. 


Online Behavioral Advertising/Interest-Based Advertising has always been understood to include the 
collection of data about a computer or device's web viewing (or “click stream”) behavior over time to place 
browsers or devices into interest segments such as “car enthusiast” or “interested in travel.” In this Code, 
Interest-Based Advertising also includes the practice known as “retargeting,” where the ad served on one 
website is selected based on a visit to a different website. For example, if a user visits SampleTravel.com, 

and then visits SampleNewspaper.com and is served an ad for SampleTravel based on the previous visit to 
SampleTravel.com, that activity falls within the definition of Interest-Based Advertising even though the ad was 
selected based on a single website visit and the user may not have been included in an interest segment such 
as “interested in travel.” 


PII, NON-PII, AND DE-IDENTIFIED DATA 


The NAI Code divides data into three categories of “identifiability”: PII, Non-Pll, and De-Identified Data. 
Retrospective merger of PII with Non-PIl for Interest-Based Advertising requires Opt-In Consent; use of Non-PIl 
alone for Interest-Based Advertising requires notice and Opt-Out Consent; and use of De-Identified Data does 
not impose specific notice, consent, or data retention requirements. In addition, as discussed below, the 

Code imposes obligations with respect to “Sensitive Data” and “Precise Geolocation Data,” both of which 
require Opt-In Consent when used for Interest-Based Advertising. 


Under this framework, data is considered PII if it is used or intended to be used to identify an individual, 
Non-PIl if it is linked or reasonably linkable to a specific computer or device, and De-Identified Data if it is not 
linked or reasonably linkable to either an individual or to a specific computer or device. This framework mirrors 
the “reasonable linkability” analysis set forth in the FTC Final Privacy Report, which rejected a “bright line” 
test and instead adopted a scaled approach to evaluating risks and determining the obligations that attach 

to data.® This scaled approach recognizes that different categories of data present different levels of risk. 
Although regulators have raised questions about the utility of maintaining the traditional distinctions between 


5 See FTC Final Privacy Report, supra note 4, at 41; DAA OBA Principles, supra note 2, at 10-11 (defining OBA to exclude first party 
activity, ad delivery and ad reporting, and contextual advertising). 


6 See FTC Final Privacy Report, supra note 4, at 19-20 (acknowledging commenters’ concerns that requiring the same level of pro- 
tection for all data might undermine companies’ incentives to avoid collecting data that is easily identified). 
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PII and Non-PIl,” we believe it is appropriate for the NAI Code to continue to encourage efforts to prevent 
members from linking the Non-Pll they collect for Interest-Based Advertising and Ad Delivery and Reporting 
purposes with particular individuals. To encourage these data minimization efforts, the NAI Code continues to 
distinguish between PII and Non-Pll and to impose different notice and choice requirements for each, with the 
level of protection required increasing with the “identifiablitity” and sensitivity of the data. 


PII 

PII includes any information used or intended to be used to identify a particular individual, including name, 
address, telephone number, email address, financial account number, and government-issued identifier. 

In addition to the examples of PII enumerated in the definition, PII could include new technologies not 
currently in use for Interest-Based Advertising. For example, “faceprints” would be considered PII to the 
extent a company employed facial recognition technology for the purpose of identifying individuals, 

even if such faceprints were not linked to name, address, telephone number, email address, or other 
traditional identifiers. 


Non-Pll 

Non-PIl is defined as “data that is not PII as defined in the NAI Code, but that is linked or reasonably linkable 
to a particular computer or device. Non-PIl includes, but is not limited to, unique identifiers associated with 
users’ computers or devices and IP addresses, where such identifiers or IP addresses are not linked to PII. 
Non-PIl does not include De-Identified Data.” In order for data to be treated as Non-Pll under the NAI Code, 
the company would need to: (1) take measures to ensure that the data cannot reasonably be linked to a 
particular individual, such as using only randomly generated numeric identifiers rather than names or other 
personal information; (2) publicly commit to maintain the data as Non-PIl, and (3) take reasonable steps, such 
as contractual measures, to prevent any companies with whom it shares the Non-PIl from attempting to merge 
the data with PII or otherwise using the data to identify a particular individual (unless the Non-PIl is proprietary 
to the receiving party). 


De-Identified Data 

The NAI Code defines De-Identified Data as “data that is not linked, or reasonably linkable to an individual 
or to a particular computer or device.” In order to be considered “De-ldentified Data” under the NAI 
Code, the company must take steps similar to those enumerated above with respect to Non-PIl: (1) take 
reasonable steps to ensure that the data cannot reasonably be re-associated or connected or associated 
with an individual or with a particular computer or device, such as by removing the cookie identifier or IP 
address, or truncating the IP address; (2) publicly commit to maintain and use the data in a de-identified 
fashion and not attempt to re-associate the data with an individual or with a particular computer or device; 
(3) obtain satisfactory assurance that any non-affiliate that receives the De-Identified Data will not attempt 
to reconstruct the data in a way such that an individual or computer or device may be re-identified and will 
use or disclose the De-Identified Data only for uses specified by the NAI member company. This process 
mirrors the definition of “De-Identification Process” in the DAA’s Multi-Site Principles.® 


SENSITIVE DATA 


Health 

It is difficult to draw bright lines between “sensitive” and “non-sensitive” data in the health space. Whether 
a particular piece of data is sensitive may lie in the eye of the beholder and depend upon a number 

of subjective considerations. In recognition of that subjectivity, and following commentary provided in 
response to our draft 2008 Code, the NAI has not developed an exhaustive list of conditions or treatments 


7 See id. at 18-19. 


8 See DAA Multi-Site Data Principles, supra note 2, at 8. 
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that it considers to be “precise.” Rather, the NAI requires companies to consider a number of factors in 
determining whether a particular condition or treatment is “precise” and therefore requires the company 
to obtain Opt-In Consent if it wishes to serve ads based on presumed interest in the topic," including: the 
seriousness of the condition, its prevalence, whether it is something that an average person would consider 
to be particularly private in nature, whether it is treated by over-the-counter or prescription medications, 
and whether it can be treated by modifications in lifestyle as opposed to medical intervention. Under this 
analysis, all types of cancer, mental health-related conditions, and sexually transmitted diseases are “precise” 
and require Opt-In Consent. Other conditions, such as acne, high blood pressure, heartburn, cold and flu, 
and cholesterol management, the NAI considers to be generic and not topics that require Opt-In Consent. 
Similarly, interest in diet and exercise as well as vitamins and supplements typically do not relate to “precise 
information about past, present, or potential future health or medical conditions or treatments, including 
genetic, genomic, and family medical history” for which Opt-ln Consent is required. 


Section II(B)(2) of the NAI Code requires member companies to publicly disclose any standard interest 
segments they use for Interest-Based Advertising that are related to health conditions or treatments. Together, 
these two sections require members to obtain Opt-In Consent to serve ads on non-affiliate websites that 

are based on presumed interest in precise or sensitive health conditions or treatments (whether through 
“standard” interest segments, custom segments, or retargeting), and to disclose (and provide an Opt-Out 
Mechanism for) any “standard” interest segments that are based on non-precise, non-sensitive, 

health-related interests. 


Sexual Orientation 

By adding sexual orientation to the list of categories considered “sensitive,” the NAI intends to prohibit 
companies from collecting or storing information about a user's status or perceived status as gay, lesbian, 
bisexual, or transgendered for Interest-Based Advertising without obtaining Opt-In Consent. The NAI does 
not intend to prohibit retargeting based on visits to dating websites, wedding registries, services for couples 
(such as travel), or similar content. The NAI does, however, intend to prohibit the creation of interest segments 
such as “gay male” or “interested in LGBT issues,” as well as the retargeting of visitors to sites that reflect the 
user's sexual orientation, such as dating or travel sites targeted to LGBT visitors. While advertising on such 
websites and to the LGBT community is incredibly valuable, this policy recognizes that LGBT status may be 
considered sensitive in some contexts, and thus that Opt-In Consent should be obtained before using such 
data for Interest-Based Advertising. 


PRECISE GEOLOCATION DATA 


The definition of “Precise Geolocation Data” is intended to recognize that a range of technologies now and 
in the future may be able to provide “with reasonable specificity” the actual physical location of a device. 

At the same time, the definition is intended to exclude more general geographic location data, such as IP 
address-derived location, postal code, zip code, city, and neighborhood. While the NAI has removed “Precise 
Geolocation Data” from the definition of “Sensitive Data” for purposes of this Code update, the NAI believes 
that a user's precise location is often sensitive, particularly when such data can be used to build detailed 
profiles of user movements over time. 


9 The 2008 NAI Code was always intended to require Opt-In Consent to target users on the basis of any presumed interest in, as well 
as actual knowledge of, “precise” health conditions or treatments, not merely actual knowledge that the user suffers from such condition. 
Nevertheless, there has been considerable confusion among member companies and others on this point. See, e.g. http://blog. 
privacychoice.org/2011/12/14/yet-another-better-definition-of-sensitive-boundaries-for-ad-targeting/ (stating that the NAI’s standard 
applies only to the actual health status of the user). With this commentary, the NAI intends to make clear that targeting users on the basis 
of any presumed interest in, not merely actual knowledge of, precise or sensitive health-related topics requires Opt-In Consent. 


10 These requirements apply only to the extent member companies are collecting data to associate users with presumed interests. 
They do not apply to members’ services that do not require tagging users’ browsers or devices, such as categorizing websites 


associated with particular conditions or treatments so that advertisers can serve contextual advertising on those sites. 
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ll. Member Requirements 
MEMBER-PROVIDED NOTICE ($ 11(B)(1)) 


Section II(B)(1) of the NAI Code requires companies to provide clear, meaningful, and prominent notice 
concerning their data collection practices. To meet the “prominent” requirement, companies should provide 
conspicuous links to their consumer-facing disclosures, such as obvious links to privacy policies, “consumer 
information” links, and independent links to Opt-Out Mechanisms. Links to privacy policies and other 
consumer-facing materials (such as an opt-out page) should be in a location that is easy for users to locate, 

in an appropriate size font, and in a color that does not blend in with the background of the page. To meet 
the “clear and meaningful” requirement, the notice should describe the company’s data collection and use 
practices in an understandable manner and accurately reflect the company’s data collection and use practices. 
In describing the types of data they collect, members that obtain data from third parties for purposes of 
supplementing user profiles should disclose the data they collect and how they use it for Interest-Based 
Advertising. 


Finally, members should describe their data collection and use practices in as clear and concise a manner as 
possible. Members are also required to disclose the technologies they use for Interest-Based Advertising and 
Ad Delivery and Reporting. Member companies are not required to disclose the technologies they use with a 
level of specificity that would reveal their proprietary business models. 


HEALTH TRANSPARENCY (8 II(B)(2)) 


Under section II(C)(1)(e) of the Code, member companies continue to be required to obtain Opt-In Consent 
for the collection and use for Interest-Based Advertising of “Sensitive Data,” which is defined to include 
“orecise information about past, present, or potential future health or medical conditions or treatments, 
including genetic, genomic, and family medical history.” As a result, if an NAl member company were to 
seek to serve ads to users on the basis of knowledge of a user's health condition or treatments or presumed 
interest in sensitive health conditions such as cancer, mental health-related conditions, or sexually transmit- 
ted diseases, the company would need to clearly explain that intent and obtain Opt-In Consent for such 
use. The transparency requirement, by contrast, is intended to capture those interest segments for which 
Opt-In Consent is not required under the Code, but nevertheless may factor into an individual's decision 
about whether to opt out of Interest-Based Advertising by a particular member company. Thus, for example, 
member companies may seek to target users on the basis of such general health categories as headaches, 
allergies, or diet and fitness that would not require Opt-In Consent, but would require disclosure under 

the transparency policy. The disclosure may be in, or linked from, the member's privacy policy, in other 
consumer-facing materials, such as a preference manager, or in another location on the member's website 
that is reasonably easy for users to find. 


In addition to disclosing their standard interest segments that are related to health conditions or treatments, 
members are expected to have internal policies governing any use of health-related targeting. Many NAI 
members do not have “standard” interest segments, but rather engage solely in retargeting, keyword 
retargeting, or the creation of “custom” segments. Other members do have standard interest segments, but 
also allow their clients to create custom or retargeted segments. In all such cases, members must ensure, 
consistent with Section II(C)(1)(e), that they obtain Opt-In Consent for any targeting (including retargeting or 
custom segments) that is based on “precise” health conditions or treatments. 
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WEBSITE NOTICE ($ 11(B)(3)-(5)) 


Contractual Notice Requirements (8 II(B)(3)-(4)) 

Where an NAI member company has a direct contractual relationship with a website where it collects data for 
Interest-Based Advertising, it must contractually require the website to post notice of Interest-Based Advertising 
data collection and link to an Opt-Out Mechanism." Such notice should be provided in a privacy policy or 
separate footer link, such as “About our Ads.” Members should use reasonable efforts to enforce contractual 
notice provisions, as well as to ensure that notice is provided even in the absence of a contractual requirement 
to provide such notice. Members should seek to ensure that notice is provided where they collect data by, for 
example, regularly checking a reasonably sized sample of the websites where they collect data for Interest- 
Based Advertising to ensure that they provide appropriate notice and following up with those that do not." 


Enhanced Notice Requirement (8 II(B)(5)) 

The Code requires members to “provide, or support the provision of” notice in or around the ads they serve. The 
NAI expects that companies who lack the ability to include the standard industry icon or other form of enhanced 
notice on ads will nevertheless support the provision of such notice by configuring their systems to support 

that capability. In addition, if a publisher or advertiser asks an NAl member to conduct a campaign informed by 
Interest-Based Advertising without enhanced notice, the NAl member should decline to conduct the campaign 
and should report such advertisers and publishers to the BBB or DMA compliance program. The NAI will work 
with DAA and DAA member organizations to educate advertisers and publishers on the requirements of the 
DAA program, including the requirement that all Interest-Based ads include enhanced notice. 


CHOICE ($ II(C)) 


Provision of Choice Mechanisms (8 II(C)(1)) 

The NAI Code requires members to provide an Opt-Out Mechanism for the collection and use of Non-PIl 
for Interest-Based Advertising purposes, and to obtain Opt-ln Consent for the use of Sensitive Data, Precise 
Geolocation Data, and the retrospective merger of PII and Non-PIl for Interest-Based Advertising purposes. 
For the prospective merger of PII and Non-PIl for Interest-Based Advertising purposes, the Code requires 
the provision of an Opt-Out Mechanism coupled with “robust” notice. To be considered “robust” under this 
provision, such notice must be provided immediately above or below the mechanism used to authorize the 
submission of any PII. The notice should also clearly and conspicuously describe the scope of any Non-PIl to 
be merged with PII and how the merged data would be used for Interest-Based Advertising purposes. 


Honoring Opt-Out Choices (§ II(C)(2)) 

Following an opt out, companies must cease collecting and using data for Interest-Based Advertising 
purposes, but may continue to collect data for other purposes, including Ad Delivery and Reporting. It is 
widely acknowledged that certain commonly accepted “internal operations” practices should not require user 
choice and thus that collection of data for such purposes following an opt out is permissible. Such purposes 


11. The requirement to contractually require a website publisher to post notice applies only where the NAI member itself is collecting 
data. Some member companies do not themselves collect data, but facilitate others’ collection of data for Interest-Based Advertising 
purposes, such as by providing software or other technology that allows others to collect such data. The NAI encourages, but does 

not require, members to ensure that proper notice is provided where their technology is used to collect data for Interest-Based 
Advertising purposes. 


12 The contractual notice provisions are intended to ensure that users are provided notice at the point of data collection, even where 
there is no ad served. Some member companies may collect data for Interest-Based Advertising purposes only where they serve ads. 
Member companies that provide in-ad notice pursuant to section II.B(5) and only collect data for Interest-Based Advertising where 

they serve ads will ensure that notice is provided wherever they collect data for Interest-Based Advertising, and need not contractually 
require their website partners to provide notice or enforce contractual notice requirements. 


13 Similarly, because enhanced notice will now be a requirement of the NAI Code, the NAI will have authority to enforce the 
enhanced notice requirements against NAl member companies under its compliance and enforcement program. 
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include frequency capping and similar advertising inventory metrics.'* They also include calculating usage 
statistics and verifying ad delivery. The NAI Code accordingly allows member companies to continue to 
collect data for such purposes following a user's choice to opt out. 


While companies may continue to collect and use data for purposes other than Interest-Based Advertising 
following an opt out, their Opt-Out Mechanisms must be consistent with the representations they make to 
users and to NAI staff. The NAI works with each member company during the pre-certification and annual 
review processes to ensure that its opt out, at minimum, stops the collection of data across unaffiliated 
domains for purposes of delivering advertising based on inferred or known preferences or interests. Some 
companies’ opt-out tools cover activity that does not squarely fall within the definition of “Interest-Based 
Advertising” as defined in this Code. The NAI expects that companies’ opt outs will be consistent with the 
representations made to NAI staff and in their privacy policies and will hold companies accountable for their 
representations through the NAI's sanctions procedures. 


Technologies Used for Interest-Based Advertising (8 II(€)(3)) 

The NAI Code is intended to be technology-neutral, imposing the same obligations on member companies 
regardless of the technologies they use for Interest-Based Advertising. At the same time, the NAI believes that 
all technologies member companies use for online advertising activities should afford users an appropriate 
degree of transparency and control. While member companies currently primarily use cookies and pixel tags 
for Interest-Based Advertising, the NAI believes that technologies other than standard HTTP cookies can 
provide an “appropriate” level of transparency and control when implemented consistent with NAI standards. 
The NAI is working to develop policies with respect to the use of non-cookie technologies, particularly those 
that facilitate cross-device tracking and those that allow tracking on mobile devices. 


USE LIMITATIONS (8 II(D)) 
Children (8 II(D)(1)) 


The NAI Code forbids member companies from creating interest segments specifically targeted to children 
under 13 without obtaining verifiable parental consent. NAl member companies, of course, must also comply 
with the FTC's COPPA rules as such rules may be updated from time to time. 


Prohibited Uses (8 I1(D)(2)) 

The NAI's prohibition on the use of data collected for Interest-Based Advertising and Ad Delivery and 
Reporting for eligibility decisions is consistent with the White House's “Respect for Context” principle — that 
consumers have a right to expect that companies will collect, use, and disclose personal data in ways that 
are consistent with the context in which the data was provided."* Users are made aware, through in-ad notice 
and privacy policies of website publishers, that data is collected for the purpose of providing more relevant 
ads. The use of such data for purposes other than marketing, including any insurance, health, credit, or 
employment eligibility decisions, would be inconsistent with that context. 


Material Changes ($ I1(D)(3)) 

A “material” change for purposes of this provision generally will relate to the collection or use of PII for 
Interest-Based Advertising purposes or the merger of Non-PIl with PII when a company previously represented 
that it does not collect PII for Interest-Based Advertising purposes or merge PII with Non-Pll. Changes are 


14 See FTC Final Privacy Report, supra note 4, at 39. 
15 See id. at 12 (stating that data collection for such purposes may not require companies to provide “extensive options for control”). 


16 = See White House Privacy Report, supra note 4, at 18 (encouraging companies engaged in online advertising to refrain from 
collecting, using, or disclosing data that may be used to make decisions regarding employment, credit, and insurance eligibility or 
similar matters that may have significant adverse consequences to consumers and noting that such uses are at odds with generating 
revenue and providing consumers with ads that they are more likely to find relevant). 
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not material for purposes of this provision if they result in less collection or use of data, or when a company 
changes its disclosures to provide greater transparency about its existing practices. We encourage member 
companies to innovate and provide increased transparency around their data collection and use practices, and 
this section is not intended to cover efforts to provide increased transparency for existing practices. 


TRANSFER RESTRICTIONS (8 II(E)) 


The restrictions on the transfer and use of data collected across non-affiliate websites for Interest-Based 
Advertising or Ad Delivery and Reporting purposes are extensions of the requirements set forth above for data 
to be treated as Non-PIl rather than PII under the NAI Code. In addition to contractually forbidding the third 
party from merging the Non-PII collected across non-affiliated websites with Pll without obtaining the user's 
Opt-In Consent or from otherwise attempting to identify the individual using Non-PIll, members should impose 
technical measures to help prevent the receiving party from engaging in such activities. For example, member 
companies that pass encrypted data to third parties should not provide the encryption key. These restrictions 
do not apply when the NAI member is acting as a service provider for a single party and the data transferred is 
proprietary to that party. 


ACCESS (8 II(F)(1)) 


NAI member companies collect and use data for marketing purposes. Indeed, members are forbidden 
from using, or allowing to be used, the data they collect for any eligibility decisions. In light of the limited 
purposes to which member companies are permitted to use the data they collect, the NAI Code requires 
member companies to provide reasonable access to any PII and associated Non-PII collected and used for 
Interest-Based Advertising purposes, but does not require companies to provide access to Non-PIl that is 
not associated with PII. Though not required by the NAI Code, some NAI member companies provide 
users access to Non-Pll-based interest segments associated with their browsers. The NAI believes that 
these "preference managers” are an excellent means of providing users increased levels of transparency 
and control. Accordingly, the NAI continues to encourage such access to Non-PIll as a best practice. 


RELIABLE SOURCES ($ II(F)(2)) 


Generally, the NAI encourages member companies to obtain data from companies that are part of the NAI or 
another self-regulatory program. Additional steps that companies should take to ensure that their data sources 
provide appropriate protection for data include: (1) reviewing the company’s privacy policy; (2) understanding 
the technologies the company uses to collect data and whether the company provides an effective opt out 
that, if possible, is included on an industry-wide opt-out page; (3) ensuring that the data source secures an 
appropriate level of consent; and (4) reviewing the company’s marketing materials to understand how the 
company collects data from users and what types of data it collects. Such measures are particularly important 
when member companies obtain data from companies that are not NAl members or otherwise subject to 
oversight of their privacy practices. 


DATA RETENTION (8 II(F)(4)) 


The NAI Code requires member companies to keep data that is “reasonably linkable to a device,” and 

thus considered Non-Pll under the Code (or any PII used for Interest-Based Advertising or Ad Delivery and 
Reporting purposes) only so long as necessary to serve their business needs. In accordance with section II(B) 
(1)(f), member companies are required to publicly disclose the period for which they retain such data for those 
purposes. At the end of that publicly stated retention period, members are required to either delete such data, 
or to render it De-Identified Data by taking steps to ensure that it cannot reasonably be linked to a particular 
person, computer, or device. Such measures may include removing unique user identifiers, removing IP 
addresses, and/or truncating the IP addresses. 
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